Attorneys General from 12 U.S. states this week filed a lawsuit against a healthcare tech solutions provider over a data breach suffered by the company in 2015.
The target of the lawsuit is Medical Informatics Engineering (MIE), previously known as Enterprise Health, and its subsidiary NoMoreClipboard. Their products allow healthcare providers to transmit and share information.
MIE informed customers in the summer of 2015 that servers used by its WebChart electronic health record (EHR) solution had been breached and the details of 3.9 million individuals had been accessed. The compromised information included names, phone numbers, addresses, usernames, hashed passwords, email addresses, security questions and answers, dates of birth, social security numbers, health insurance details, and medical information.
Attorneys General from 12 states have decided to file a lawsuit against MIE in what has been described as the first multistate data breach lawsuit related to the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA, among other things, establishes policies and procedures for maintaining the privacy and the security of protected health information. AGs allege MIE violated provisions of HIPAA, along with unfair and deceptive practice laws, notice of data breach statutes, and state-level laws focusing on the protection of personal information.
The complaint was filed in Indiana, where MIE is headquartered, by AGs representing Indiana, Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.
Authorities claim MIE failed to implement basic data security measures, it did not have security mechanisms in place for preventing the exploitation of vulnerabilities in its systems, it failed to encrypt sensitive personal and medical information, and had an inadequate and ineffective response to the breach.
“Last year, more than 5.3 million North Carolinians were estimated to have been affected by a data breach,” said Josh Stein, Attorney General for North Carolina. “I expect this year’s number will also be troubling. We must do better at protecting people’s personal information – particularly health and other sensitive information.”
MIE did not immediately respond to SecurityWeek’s request for comment on the lawsuit.